diff --git a/buildKaraage3.x.yml b/buildKaraage3.x.yml
index acc96c0f8833325b61e90978b2be396bc01da46e..6523ca2f5fde8a5796ef9dfc536fc1e833e39db5 100644
--- a/buildKaraage3.x.yml
+++ b/buildKaraage3.x.yml
@@ -5,12 +5,12 @@
- sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
ignore_errors: yes
- service: name=network state=restarted
- when: ansible_os_family == 'Redhat'
+ when: ansible_os_family == 'RedHat'
roles:
- - etcHosts
- - easy-rsa-CA
- - easy-rsa-certificate
- - ldapserver
+ - etcHosts
+ - easy-rsa-CA
+ - easy-rsa-certificate
+ - ldapserver
sudo: true
vars:
- x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
@@ -45,7 +45,7 @@
- sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
ignore_errors: yes
- service: name=network state=restarted
- when: ansible_os_family == 'Redhat'
+ when: ansible_os_family == 'RedHat'
roles:
- etcHosts
- easy-rsa-certificate
diff --git a/roles/easy-rsa-common/tasks/yumList.yml b/roles/easy-rsa-common/tasks/yumList.yml
index 7074ffef82c4f4c3dde0bc7c894b74a8ca912fbb..485a0f28a0769e8afe09f20c3910b3fd2ffb75c1 100644
--- a/roles/easy-rsa-common/tasks/yumList.yml
+++ b/roles/easy-rsa-common/tasks/yumList.yml
@@ -11,6 +11,7 @@
-
name: "Setting hostname"
shell: sysctl kernel.hostname={{ inventory_hostname }}
+ sudo: True
-
name: "Restarting Network"
service: name=network state=restarted
diff --git a/roles/etcHosts/files/makehosts.py b/roles/etcHosts/files/makehosts.py
index fa830d92bc5dbc768a462fe87750a35f92d542c2..9f68ef107f505358189f44f7562948b67697267f 100755
--- a/roles/etcHosts/files/makehosts.py
+++ b/roles/etcHosts/files/makehosts.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/bin/env python
import sys
import json
import socket
diff --git a/roles/etcHosts/tasks/main.yml b/roles/etcHosts/tasks/main.yml
index 9d8e8fe8aeb9436e8afcbe54f882f036b389ed36..a1029fa022cb7c4f8ebd1cb91927ac223ed79753 100644
--- a/roles/etcHosts/tasks/main.yml
+++ b/roles/etcHosts/tasks/main.yml
@@ -9,7 +9,7 @@
run_once: True
- name: make hosts data
- command: /tmp/makehosts.py /tmp/groups {{ domain }}
+ shell: source /root/.bash_profile; /tmp/makehosts.py /tmp/groups {{ domain }}
delegate_to: 127.0.0.1
run_once: True
register: hosts_data
diff --git a/roles/karaage3.1.17/tasks/apache.yml b/roles/karaage3.1.17/tasks/apacheDebian.yml
similarity index 100%
rename from roles/karaage3.1.17/tasks/apache.yml
rename to roles/karaage3.1.17/tasks/apacheDebian.yml
diff --git a/roles/karaage3.1.17/tasks/apacheRedHat.yml b/roles/karaage3.1.17/tasks/apacheRedHat.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6c7d2ad00d162b6df16022548f48992e3c594481
--- /dev/null
+++ b/roles/karaage3.1.17/tasks/apacheRedHat.yml
@@ -0,0 +1,27 @@
+---
+
+-
+ name: "Installing Apache"
+ yum: name={{ item }} state=latest
+ with_items:
+ - mod_ssl
+ - mod_wsgi
+ - openssl
+ - httpd
+ - httpd-devel
+-
+ name: Setting httpd.conf
+ replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
+-
+ name: Setting ssl.conf
+ lineinfile: dest=/etc/httpd/conf.d/ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
+ with_items:
+ - { regexp : "^SSLCertificateFile", line : "SSLCertificateFile {{ x509_cert_file }}" }
+ - { regexp : "SSLCertificateKeyFile", line : "SSLCertificateKeyFile {{ x509_key_file }}" }
+ - { regexp : "SSLCACertificateFile", line : "SSLCACertificateFile {{ x509_cacert_file }}" }
+-
+ name: Templating wsgi.conf
+ template: src=wsgi.conf.j2 dest=/etc/httpd/conf.d/wsgi.conf owner=root group=root
+-
+ name: Restarting Apache
+ service: name=httpd state=restarted
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index 9c46fef8a5138123cda40ee15925622fabd6afc3..57101bed1b63a55301cfc8fffad8396aa60902e5 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -1,6 +1,6 @@
---
-
- name: "Installing prerequisites"
+ name: "Installing prerequisites Debian"
apt: name={{ item }} update_cache=yes
with_items:
- libxml2-dev
@@ -11,49 +11,107 @@
- ldap-utils
- python-cracklib
- git
+ when: ansible_os_family == "Debian"
+-
+ name: "Installing prerequisites Redhat"
+ yum: name={{ item }} state=latest
+ with_items:
+ - libxml2-devel
+ - libxslt-devel
+ - python-lxml
+ - openldap-clients
+ - cracklib-python
+ - git
+ - gcc
+ - gcc-c++
+ - gcc-gfortran
+ - freetype-devel
+ - libpng-devel
+ - lapack-devel
+ - blas-devel
+ - libffi-devel
+ when: ansible_os_family == "RedHat"
+-
+ name: Install the latest pip
+ shell: easy_install pip
+ when: ansible_os_family == "RedHat"
-
name: "Getting Karaage from Github"
git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7"
-
name: "Installing Karaage Dependencies"
- pip: name={{ item }} extra_args="--upgrade"
+ pip: name={{ item }}
with_items:
- six
- MySQL-python
- - mincss
- slimit
- ply
+ - cython
+ - django-celery
+ - mod_wsgi
-
name: "Restrict Django version to 1.7.8"
replace: dest=/root/karaage3.1.7/setup.py regexp="Django >= 1.7" replace="Django == 1.7.8"
-
name: "Installing Karaage from source"
- shell: python setup.py install
+ shell: "env python setup.py install"
args:
chdir: /root/karaage3.1.7
creates: /root/karaage3.1.7/build/bdist.linux-x86_64
-
name: "Templating Karaage settings"
- template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group=www-data mode=0640
--
- name: "Creating karaage3 in /var/log"
- file: path=/var/log/karaage3 state=directory owner=www-data group=www-data mode=0755
+ template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group={{ apache_user }} mode=0640
-
- name: "Creating karaage3 in /var/lib"
- file: path=/var/lib/karaage3 state=directory owner=root group=www-data mode=0775
+ name: "Creating karaage3 in /var directories log, lib "
+ file: path={{ item }} state=directory owner=root group={{ apache_user }} mode=0775
+ with_items:
+ - /var/log/karaage3
+ - /var/lib/karaage3
+ - /var/cache/karaage3
-
name: "Change permissions for /var/www"
- file: path=/var/www state=directory owner=root group=www-data mode=0775
+ file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
-
name: "enabling Karaage configuration"
shell: a2enconf karaage3-wsgi
+ when: ansible_os_family == "Debian"
-
- name: "Installing other packages"
+ name: "enabling Karaage configuration"
+ shell: cp -rvpf /root/karaage3.1.7/conf/karaage3-wsgi.conf /etc/httpd/conf.d/karaage3-wsgi.conf
+ when: ansible_os_family == "RedHat"
+-
+ name: "Installing other packages Debian"
apt: name={{ item }} update_cache=yes
with_items:
- python-kgusage
- karaage-cluster-tools
- karaage3-celery
+ when: ansible_os_family == "Debian"
+-
+ name: Downloading other packages RedHat
+ git: repo={{ item.repo }} dest={{ item.dest }}
+ with_items:
+ - { repo : 'https://github.com/numpy/numpy.git', dest : '/root/numpy' }
+ - { repo : 'https://github.com/matplotlib/matplotlib.git', dest : '/root/matplotlib' }
+ - { repo : 'https://github.com/Karaage-Cluster/karaage-software.git', dest : '/root/karaage-software' }
+ - { repo : 'https://github.com/Karaage-Cluster/karaage-usage.git', dest : '/root/karaage-usage' }
+ - { repo : 'https://github.com/Karaage-Cluster/karaage-applications.git', dest : '/root/karaage-applications' }
+ - { repo : 'https://github.com/Karaage-Cluster/karaage-cluster-tools.git', dest : '/root/karaage-cluster-tools' }
+ when: ansible_os_family == "RedHat"
+-
+ args:
+ chdir: "/root/{{ item }}"
+ creates: "/root/{{ item }}/build/bdist.linux-x86_64"
+ name: "Installing other packages RedHat"
+ shell: "env python setup.py install"
+ when: ansible_os_family == "RedHat"
+ with_items:
+ - numpy
+ - matplotlib
+ - karaage-applications
+ - karaage-software
+ - karaage-usage
+ - karaage-cluster-tools
-
name: "Set Secret Key"
lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
@@ -63,6 +121,13 @@
-
name: "Restarting Celery"
service: name=karaage3-celery state=restarted
+ when: ansible_os_family == "Debian"
-
name: "Reloading apache"
service: name=apache2 state=reloaded
+ when: ansible_os_family == "Debian"
+
+-
+ name: "Reloading apache"
+ service: name=httpd state=reloaded
+ when: ansible_os_family == "RedHat"
diff --git a/roles/karaage3.1.17/tasks/main.yml b/roles/karaage3.1.17/tasks/main.yml
index 41d82bd8670b8bcfca7d4c0250ba7440d2c8de79..3fb11c21787e45de3da5ff4380ccc60b8662a0e4 100644
--- a/roles/karaage3.1.17/tasks/main.yml
+++ b/roles/karaage3.1.17/tasks/main.yml
@@ -1,5 +1,9 @@
---
- - include: prerequisites.yml
- - include: apache.yml
+ - include: prerequisitesDebian.yml
+ when: ansible_os_family == "Debian"
+ - include: apacheDebian.yml
+ when: ansible_os_family == "Debian"
+ - include: apacheRedHat.yml
+ when: ansible_os_family == 'RedHat'
- include: mysql.yml
- include: karaage.yml
diff --git a/roles/karaage3.1.17/tasks/mysql.yml b/roles/karaage3.1.17/tasks/mysql.yml
index 2803bd1c3e35d27a11ed7918d52020ffe012d689..e2df0e3db90c7f569db638ed4c94b1b646bd51a9 100644
--- a/roles/karaage3.1.17/tasks/mysql.yml
+++ b/roles/karaage3.1.17/tasks/mysql.yml
@@ -1,6 +1,6 @@
---
-
- name: "Installing MySQL"
+ name: "Installing MySQL Debian"
apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
with_items:
- python
@@ -11,12 +11,32 @@
- python-mysql.connector
- mysql-server
- python-mysqldb
+ when: ansible_os_family == "Debian"
+-
+ name: Installing MySQL RedHat
+ yum: name="{{ item }}" state=latest
+ with_items:
+ - python
+ - python-devel
+ - mysql-devel
+ - mysql-libs
+ - MySQL-python
+ - mysql-server
+ when: ansible_os_family == "RedHat"
-
name: "Starting MySQL"
service: name=mysql state=started enabled=true
+ when: ansible_os_family == "Debian"
+
+-
+ name: "Starting MySQL"
+ service: name=mysqld state=started enabled=true
+ when: ansible_os_family == "RedHat"
-
name: "Templating karaage.cnf"
template: src="karaage.cnf.j2" dest=/etc/mysql/conf.d/karaage.cnf owner=root group=root
+ when: ansible_os_family == "Debian"
+
-
name: "Adding root"
sudo: true
@@ -26,6 +46,21 @@
- 127.0.0.1
- ::1
- localhost
+-
+ name: Setting mysql global variables
+ mysql_variables: variable={{ item.var }} value={{ item.val }} login_user=root login_password="{{ mysql_root_password }}"
+ with_items:
+ - { var : 'character_set_server', val : 'utf8' }
+ - { var : 'storage_engine', val : 'innodb' }
+ - { var : 'sql_mode', val : 'STRICT_ALL_TABLES' }
+ when: ansible_os_family == "RedHat"
+-
+ name: "Editing my.cnf"
+ lineinfile: dest=/etc/my.cnf line="{{ item }}"
+ with_items:
+ - '[client]'
+ - 'default-character-set = utf8'
+ when: ansible_os_family == "RedHat"
-
name: "Adding Karaage Database"
mysql_db: name=karaage state=present login_user=root login_password={{ mysql_root_password }}
@@ -36,3 +71,8 @@
-
name: "Starting MySQL"
service: name=mysql state=restarted
+ when: ansible_os_family == "Debian"
+-
+ name: "Starting MySQL"
+ service: name=mysqld state=restarted
+ when: ansible_os_family == "RedHat"
diff --git a/roles/karaage3.1.17/tasks/prerequisites.yml b/roles/karaage3.1.17/tasks/prerequisitesDebian.yml
similarity index 100%
rename from roles/karaage3.1.17/tasks/prerequisites.yml
rename to roles/karaage3.1.17/tasks/prerequisitesDebian.yml
diff --git a/roles/karaage3.1.17/templates/settings.py.j2 b/roles/karaage3.1.17/templates/settings.py.j2
index 90b9cf6c25604ec822b2cb24e24320fcf2d39f93..1db75154159f1408ec150b3dba136095969865b0 100644
--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -186,35 +186,35 @@ LOGGING = {
'class': 'karaage.common.logging.FileHandler',
'filename': '/var/log/karaage3/django.log',
'formatter': 'verbose',
- 'owner': ['www-data', 'www-data'],
+ 'owner': ['{{ apache_user }}', '{{ apache_user }}'],
},
'karaage_file': {
'level': 'WARNING',
'class': 'karaage.common.logging.FileHandler',
'filename': '/var/log/karaage3/karaage.log',
'formatter': 'verbose',
- 'owner': ['www-data', 'www-data'],
+ 'owner': ['{{ apache_user }}', '{{ apache_user }}'],
},
# 'ldap_file': {
# 'level': 'DEBUG',
# 'class': 'karaage.common.logging.FileHandler',
# 'filename': '/var/log/karaage3/ldap.log',
# 'formatter': 'verbose',
- # 'owner': ['www-data', 'www-data'],
+ # 'owner': ['{{ apache_user }}', '{{ apache_user }}'],
# },
# 'mam_file': {
# 'level': 'DEBUG',
# 'class': 'karaage.common.logging.FileHandler',
# 'filename': '/var/log/karaage3/mam.log',
# 'formatter': 'verbose',
- # 'owner': ['www-data', 'www-data'],
+ # 'owner': ['{{ apache_user }}', '{{ apache_user }}'],
# },
# 'slurm_file': {
# 'level': 'DEBUG',
# 'class': 'karaage.common.logging.FileHandler',
# 'filename': '/var/log/karaage3/slurm.log',
# 'formatter': 'verbose',
- # 'owner': ['www-data', 'www-data'],
+ # 'owner': ['{{ apache_user }}', '{{ apache_user }}'],
# },
},
'loggers': {
diff --git a/roles/karaage3.1.17/templates/ssl.conf.j2 b/roles/karaage3.1.17/templates/ssl.conf.j2
index 5f69be6410a46e50397924ea932b113d825533e8..46ae7a92679ca4b7c8504b80c550f62f189b1447 100644
--- a/roles/karaage3.1.17/templates/ssl.conf.j2
+++ b/roles/karaage3.1.17/templates/ssl.conf.j2
@@ -1,20 +1,21 @@
-<IfModule mod_ssl.c>
#
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the SSL library.
-# The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
#
-SSLRandomSeed startup builtin
-SSLRandomSeed startup file:/dev/urandom 512
-SSLRandomSeed connect builtin
-SSLRandomSeed connect file:/dev/urandom 512
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+#
+Listen 443
##
## SSL Global Context
@@ -23,12 +24,6 @@ SSLRandomSeed connect file:/dev/urandom 512
## the main server and all SSL-enabled virtual hosts.
##
-#
-# Some MIME-types for downloading Certificates and CRLs
-#
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl .crl
-
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
@@ -38,45 +33,188 @@ SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
-# (The mechanism dbm has known memory leaks and should not be used).
-#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
-SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
-Mutex default
+Mutex sysvsem default
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost {{ ansible_fqdn }}:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect. Disable SSLv2 access by default:
+SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate. See the
-# ciphers(1) man page from the openssl package for list of all available
-# options.
-# Enable only secure ciphers:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-# Speed-optimized SSL Cipher configuration:
-# If speed is your main concern (on busy HTTPS servers e.g.),
-# you might want to force clients to specific, performance
-# optimized ciphers. In this case, prepend those ciphers
-# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-# Caveat: by giving precedence to RC4-SHA and AES128-SHA
-# (as in the example below), most connections will no longer
-# have perfect forward secrecy - if the server's key is
-# compromised, captures of past or future traffic must be
-# considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on
-
-# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
-SSLProtocol all -SSLv2 -SSLv3
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile {{ x509_cert_file }}
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile {{ x509_key_file }}
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+SSLCACertificateFile {{ x509_cacert_file }}
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+ SSLOptions +StdEnvVars
+</Directory>
-# Allow insecure renegotiation with clients which do not yet support the
-# secure renegotiation protocol. Default: Off
-#SSLInsecureRenegotiation on
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
-# Whether to forbid non-SNI clients to access name based virtual hosts.
-# Default: Off
-#SSLStrictSNIVHostCheck On
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</IfModule>
+</VirtualHost>
diff --git a/roles/karaage3.1.17/templates/wsgi.conf.j2 b/roles/karaage3.1.17/templates/wsgi.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..19f356756b9a652a3f737cf10f9bd3996c6b9430
--- /dev/null
+++ b/roles/karaage3.1.17/templates/wsgi.conf.j2
@@ -0,0 +1 @@
+LoadModule wsgi_module modules/mod_wsgi.so
diff --git a/roles/karaage3.1.17/vars/main.yml b/roles/karaage3.1.17/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..639e52847c015ad1b083c78e9b4abb3ad1b27b20
--- /dev/null
+++ b/roles/karaage3.1.17/vars/main.yml
@@ -0,0 +1,2 @@
+---
+ apache_user: "{% if ansible_os_family == 'RedHat' %}apache{% else %}www-data{% endif %}"
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 36ef330997c13a314b404084769db11e6022a509..86c6b1f01bb922af0fb434cd24c16747ef939f6a 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -93,7 +93,7 @@
- name: enable ssl centos
lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
sudo: true
- when: ansible_os_family == 'RedHat'
+ when: ansible_os_family == 'RedHat' and ansible_distribution_major_version < '7'
- name: start ldap
service: name=slapd state=restarted
@@ -139,6 +139,14 @@
ignore_errors: true
register: binddnConfigured
+-
+ name: Initialise cosine and ppolicy
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
+ with_items:
+ - ppolicy
+ - cosine
+ ignore_errors: true
+ when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: initialise server ssl
shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
diff --git a/roles/ldapserver/vars/CentOS_6.6_x86_64.yml b/roles/ldapserver/vars/CentOS_7.0.1406_x86_64.yml
similarity index 79%
rename from roles/ldapserver/vars/CentOS_6.6_x86_64.yml
rename to roles/ldapserver/vars/CentOS_7.0.1406_x86_64.yml
index 6df1376a24b1c49c05ce26eff64e46fd1a7b7577..51bcdb11ba3722c1aa43c7dc155fc29d59dfd7f4 100644
--- a/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
+++ b/roles/ldapserver/vars/CentOS_7.0.1406_x86_64.yml
@@ -5,4 +5,4 @@
- openssl
ldapuser: ldap
ldapgroup: ldap
- dbname: olcDatabase={2}bdb
+ dbname: olcDatabase={2}hdb